Security misconfiguration related vulnerabilities are part of the OWASP Top 10 2017. They are covered under A6:2017 Security Misconfiguration. Some of the vulnerabilities listed under this category are as follows:

• Security hardening not done on the application stack.
• Unnecessary or unwanted features are enabled or installed (for example, ports, services, admin pages, accounts, or privileges). The following image shows the default Tomcat page accessible to all users:

• Application default accounts are active with default passwords.
• Improper error handling reveals stack traces and internal application information as shown in the following image:

• Application servers, application frameworks (for example, Struts, Spring, ASP.NET), libraries, databases, and so on, aren't configured securely.
• The application allows directory listing as shown in the following image:

Nikto is an excellent tool that scans for security misconfiguration issues, as shown in the following image: